EGallery Unauthenticated Arbitrary File Upload Vulnerability Allowing Remote Code Execution

A vulnerability exists in EGallery version 1.2 that allows for unauthenticated arbitrary file uploads via the uploadify.php script. The application does not properly validate file types or require authentication, enabling remote attackers to upload malicious PHP files directly into the web-accessible egallery/ directory. This flaw leads to full remote code execution under the context of the web server.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be leveraged to execute malicious PHP code on the server, resulting in unauthorized access or control over the web application or server.

Reproduction

To reproduce this vulnerability, send a POST request to the uploadify.php script with a crafted file that includes PHP code. The request must be made without authentication, and the uploaded file will be placed in the egallery/ directory. Once the file is uploaded, it can be accessed through the web server, which will execute the PHP code, providing a shell or executing the payload as specified.